Smash the Talent Gap: 5 Tips to Build Your Security Dream Team

Posted on by Matt Radolec

If you have open positions on your security team and find yourself struggling to find the perfect match, you’re not alone. The worldwide talent gap for cybersecurity experts is currently more than 3 million, according to ISC2 and Cyber Seek, which found there are close to half a million open cybersecurity roles.

With demand far outpacing supply, the best emerging and experienced security talent can be highly selective and don’t have to settle for anything less than a perfect fit. But where do you start when building a solid team with the skills, depth of experience and expertise to do it all?

Here are five tips to consider when building or hiring your security team:

  • Right-Size Your Expectations. Many organizations are looking for an all-in-one “security guru” who can perform deep technical forensics analysis, triage and respond to alerts from security tools, manage said security tools, be a security stakeholder in technology projects and make “secure” architecture and design decisions.

    While this may sound like a surefire approach, this type of search is destined to fail. Each cyber domain is a highly specialized skill set, so if you want it all in one person, you will need lots of budget for this person to build and run your security program.

    Given the cyber skills shortage, a better approach is to break down these functional areas. Set out to find mid-level hires who can grow into gurus. For example, you can hire a security analyst that specializes in examining and responding to alerts and managing security tools. Then, help them grow into a forensics role—a typical career path for analysts at many security companies.


  • Sniff Out the Phonies. It’s pretty easy these days to create a resume with all the buzzwords under the sun. After someone starts is too late to find out they only know the buzzwords. To separate the winners from the rest, always have a hands-on element to your interviews. Have job applicants complete a hands-on investigation into an incident they don’t know anything about on technology they’ve never seen before. Seeing how resilient and resourceful they are is a great way to find strong candidates.


  • Recruit and Retain Strong Managers. If you find and develop a strong cyber expert, making them a strong manager is your best bet for long-term success. In cybersecurity, many people like working for someone who leads by example and is willing to show them how to do the work and not just tell them what to do. Consider sending your top cyber talent to management training and developing their management skills, and when hiring from the outside, make sure the leaders you bring in are willing to lead by example.


  • Have a Playground. Providing a lab environment and encouraging tinkering, testing and evaluating new technology is a great way to ensure everyone’s skills stay sharp. Some organizations will outsource these capabilities to cyber ranges—like combat flight simulators—for cybersecurity professionals.


  • Be Creative with Growth and Incentive Retention. If you hire a security analyst and don’t want them to leave in two years, you will likely need to create a new position and training path. The classic “Analyst-to-Manager” path isn’t for everyone. Some employees are looking to develop specialized technical skills that may require outside training.

Invest in their growth, build career paths that include training for that additional knowledge and skills, and promote from within. Rather than just thinking analyst-to-manager, consider specialized growth paths into areas like offensive cyber, threat intelligence and detection engineering.

Today’s cybersecurity analysts and managers are tomorrow’s leaders. To find and retain the best talent for your organization, you must think beyond traditional benefits and provide opportunities for education, skills growth and advancement.

Matt Radolec

Vice President, Incident Response and Cloud Operations, Varonis

Professional Development & Personnel Management

professional development & workforce

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs